Changing security on a AD CS template

2 views

Skip to first unread message

Mike Leone

unread,

Dec 19, 2025, 4:00:27 PM (2 days ago) Dec 19

to NTSysAdmin

So we had a pentest done, and we got dinged for a couple things in our AD CS environment.

The template “PHAUserCertificateTemplate” is vulnerable to ESC4 by any member of the ”Domain Users” group.

- So I opened up certserv, and went to "Manage template". And in the security of the above referenced template, it did have "Domain Users" with WRITE access. So I unchecked that. That should be all I need, right? I don't have to duplicate the template and create a new one, with a slightly different name?

It also has "Authenticated Users" with the same rights as Domain Users (Read, Enroll, Autoenroll), so I'm not sure I need to have Domain Users there at all. Can I remove Domain Users, in this scenario, since I already have Authenticated Users with those rights?

We also got dinged for

The CA “DCTRCERT002” appears to be vulnerable to ESC8.

This seems to be an NTLM relay attack, if I'm reading it correctly? So I would need to turn off NTLM completely? I'm not sure if that would break anything. Is there anything else I can do to alleviate this? I'm reading

network defenders can disable NTLM authentication using GPOs or configuring the associated IIS applications to only accept Kerberos authentication. If organizations cannot remove the endpoints or outright disable NTLM authentication, they should only allow HTTPS traffic and configure the IIS applications to Extended Protection for Authentication .

My web enrollment isn't working (I dunno why, I've just been working around it), so I dunno if I can change the IIS settings on it ...

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Kurt Buff

unread,

Dec 19, 2025, 4:12:55 PM (2 days ago) Dec 19

to ntsys...@googlegroups.com

Start here:

https://github.com/jakehildreth/Locksmith

These are also very, very useful

https://cloud.google.com/blog/topics/threat-intelligence/defend-ad-cs-threats/

https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-2/

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgGz-pW8ZcqA9h-pEs%3D21yUG9sdjN%3Dv5B61yUka4C%2BNhw%40mail.gmail.com.

Reply all

Reply to author

Forward

0 new messages